Hackers Working for Chinese Military: Ugly Gorilla, DOTA, SuperHard

Mandiant has identified three personas working for Unit 61398

Building that houses Unit 61398

Earlier today we’ve learned that security firm Mandiant has published a comprehensive report detailing the activities of Unit 61398, the organization that’s believed to be behind many of the cyber espionage operations launched by China.

Besides technical details regarding APT1, as the campaign has been dubbed, Mandiant has also analyzed three personas closely tied to the unit.

According to Mandiant, Ugly Gorilla, DOTA and SuperHard – as the actors have been named – made “poor operational security choices,” allowing them to track their activities.

The name Ugly Gorilla, also known as Wang Dong, first emerged back in 2004, when he asked professor Zhang Zhaozhong, the director of the Military Technology and Equipment department of China’s National Defense University, if China had a cyber army similar to the one of the US.

Starting with 2004, his name appeared on several websites associated with APT1. Moreover, in 2007, a sample of the MANITSME family of malware was signed “v1.0 No Doubt to Hack You, Writed by UglyGorilla, 06/29/2007.”

The second APT1 persona, DOTA, has used variations of this online moniker for many of his accounts. The name is believed to stem from the popular Defense of the Ancients video game.

Investigators have managed to learn many of the passwords he used to protect his accounts. After gaining access to his Gmail, they found the phone number provided during the registration process. The area code indicated that it was a Shanghai mobile number.

While researchers haven’t managed to find any details of his real identity, they have been able to connect him to Ugly Gorilla. Apparently, both of them used the APT1 infrastructure, egress IP address ranges, and FQDNs.

The last persona is SuperHard. He is believed to be a significant contributor to the AURIGA and BANGAT malware families.

Based on some of the email addresses that he created, Mandiant has determined that the hacker might actually be one Mei Qiang, a Shanghai resident born in 1982.

Unfortunately, they haven’t been able to pinpoint the individual since there are several Mei Qiangs born in that year.